Working with all the technical and administrative parts of
security, you may easily overlook the physical component.
If you get too immersed in the technical details and other
aspects, it is entirely possible that you may miss something that can be physically done
to a piece of hardware or equipment, such as theft or vandalism. As an ethical hacker or
security administrator, you need to come to grips with the fact that not all of what you do
will be focused only on the technical aspects, so you must know how to protect your assets
from physical threats.
Those who perform malicious actions are well aware that although technology and
defenses have gotten better, the physical side is overlooked far too often. In many cases, if an
attacker does not have a clear or easy way of using technology to breach a target they may
move over to a physical attack to gain information or access. Techniques such as dumpster
diving and tailgating, among others, have proven very effective and popular. Additionally,
weaknesses in the security of a facility can allow a malicious or unauthorized party to gain
access to a portion of an office or location that they should not otherwise be able to access.
Attackers of all types are known to put locations under surveillance to look for these
weaknesses. These stakeouts allow an attacker to see traffic patterns and other activity in
and out of a location as well as the personnel, potentially giving them the ability to target
individuals or see when it may be an ideal time to breach a facility.
In this chapter we will cover many aspects of physical security, including the ways that
an attacker can gain control of an environment through nontechnical means.
Introducing Physical Security
Physical security acts, in many cases, are the primary protective boundary for personnel
assets in the real world. Physical security involves the protection of such assets as
personnel, hardware, applications, data, and facilities from fire, natural disasters, robbery,
theft, and insider threats.
The problem with physical security is that it can be easily overlooked in favor of the
more publicized technical issues. Companies do so at their own peril, however, since
nontechnical attacks can be carried out with little or no technical knowledge.
Simple Controls
Many controls can be used to protect and preserve the physical security of an organization.
You have already encountered many throughout this book. In many cases, just the visible
presence of controls is enough to stop an attack.